dpafandomcom-20200222-history
Data Protection Act 1998 (DPA)
The Data Protection Act 1998, commonly abbrieviated to DPA is UK Act of Parliment which sets the legisltation for data of living people. In the UK the DPA is the main piece of legislation that covers data protection. The reason this piece of legislation was created is to make British law follow the rules set out in the 1995 EU Data Protection Directive. Practically this act provides a method for people to control how information about them is handled. The vast majority fo the DPA does not apply to domestic use, but anyone holsing data for another purpose must comply with this Act, unless they are subject to some exemptions. This Act provudes 8 principles for Data Protection that must be followed. Personal Data The Act defines "personal data" as any data that can be used to identify a living individual. Aggregated Data & Anonymised Data is generally exempt from this act providing the aggregation or anonymisation has carried out in a way in which it cannot be reversed. Individuals can be identified from a range of methods includinmg, phone numbers, e-Mail addresses, names & addresses. This Act applies to data that is intended or is already being held on a computer system & data that is held in a 'relevant filing system' The term 'relevant filing system' can in some cases be used to describe a diary used in support of commerical activities, similar to a managers diary. The Freedom of Information Act 2000, provided some modifications to the act for public bodies and authorities. The Act created rights for people who have their data stored and also responsibilities for those who store these pieces of data. The person whom the Data refers to is granted the following rights, * View data that an organisation holds on that person. (A fee can be charged for this service) * Request that information that is incorrect be corrected. If the company fails to do this a Court Order for the data to be corrected or destroyed can be issued. Alongside compensation in some cases. * Require that their data is not used in a way which could potentially cause distress or damage. * Require that the data held on them may not be used for direct marketing. Data Protection Principles There are 8 Data Protection principles which must be followed, # Personal data must be processed in a fair & lawful way, and particularly not processed unless, #* at leasta a consition in Schedule 2 is met, and #* where sensitive personal data is concerned at least one of the conditions in Schedule 3 is also met. # Personal data must only be obtained for one or more lawful & specified purpose. It shall also not be further processed in any matter which is incompatiable with the purpose(s). # Personal data must be adequate, relevant and not excessive, relating to the purpose(s) for which they are processed. # Personal data must be accurate and, where it is necessary must also be kept up to date. # Personal Data which is processed for any purpose must not be kepy longer then what it is needed for the purpose. # Personal Data must be processed alongside and in accordance with the data subjects rights. # Appropriate measured must be take against unaithorised and unlawful processing of any personal data and also accidental damage to this data. # Personal Data must not be transferred to an area outside of the European Economic Area, unless the area ensures and adequate level of protection for this data. Conditions that are relevant to the first principle Personal data must only be processed in a way which is both dair and lawful. In order for this Personal Data to be classed as 'fairly processed', at least one of these six conditions must apply to that data, # The data subject has given their permission to the processing of this data. # Processing of this data is necessary for the comments or preformance of a contract. # Processing of this data is required due to a legal obligation (other than stated in a contract). # Processing oof this data is a necessitty in order to protect the data subjects vital interests. # Processing of this data is needed to carry out any public functions. # Processing of this data is a neccesity in order to pursue interests of the 'data controller' or 'third parties' (unless this could cause unjustifiable prejudice in the data subjects interests). Consent Except under certain exceptions, which are outlined below, the data subject must consent to their personal information being collected and used in the specified purpose. Consent is defined by the European Data Protection Directive as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. This means the agreement may be signified other then in writing. However non communication shouldn't be interpreted as consent. Additionally consent should be appropriate when taking into account the age and mental capacity of the data subject, and other considerations. And even where consent has been given, this should not be assumed to last forever. Although in most cases the consent lasts for howwever long is needed for the personal data to be processed, individuals may also withdraw their consent, dependent on the nature of consent given and circumnstances in which this information is being used and collected. This Act also specifies that sensitive & personal data must be processed according to a s strict consition set. Particularly any consent given must be explicit. Exceptions The DPA is structured in such a way that the processing of any personal data is covered by the Act, whilst also providing a variation of exceptions. The most notable exceptions are, * Section 28 - National Security. Any processing of data with the purpose of safeguarding the national security is exempt from all DPA Principles as well as Part II, III, V & also Section 55. * Section 29 - Crime & Taxation. Data that is processed with the purpose of prevention or detection of crime, apprehending or prosecuting offendors or assesment or collection of taxes are all exempt from the first DPA Principle. * Section 36 - Domestic Purposes. Processing of data by an individual and only for the purpose of that individual's personal, household & family affairs is exempt from all DPA principles and also Part II & III. Offences The DPA details a number of both criminal & civil offences for which the data controller may be liable if they fail to gain the appropriate consent from the data subject. 'Consent' is however not defined and is therefore a common law matter. * Sub-section 21(1) means that it is an offence to process and personal information without registration. * Sub-section 21(2) makes it an offence if you fail to comply with notification regulations created by the Secretary of State. * Section 55 makes the unlawful obtaining of personal data an offence. This means that for other paries, for example hackers or impersonators, outside of the organisation to obtain any unauthorised access to personal data. * Section 56 makes it an offence to reqire an individual to make a Subject Access Request in relation to cautions or conviction, when the purpose of recruitment, continued employment or provision of services is the purpose. Section 56 came into force on the 10th March 2015. Complexity The UK DPA is a large Act that has built up a reputation for complexity. While basic principles are honoured for the protection of privacy, interpreation of the Act is not always as easy. Alot of organisation, individuals and companies appear to be very unsure of the aims, content and principles of the DPA. Some use the Act to hide behind and subsequently refuse to provide even the simpliest of information and quote this Act as the reason for this. This Act also impacts the ways in which organisations can contact people for marketing purpose, not only by phone and direct mail but also via electronic communication. Interpretation Definition of personal data The definition of personal data is data that relates to an individual who can be identified by, * The data in question * The data in question and other information that is either in the possesion or likely to be in the possesion of the Data Controller. Sensitive Personal Data concerns data that relates to the race, ethnicity, political stance, religious views, trade unioun status, health, sexual status or criminal record of a subject. Subject Access Requests The Commisioner's Office Website states that, "You have the right to get a copy of the information that is held about you. This is known as a subject access request. This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’. You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information. Organisations may charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only)." Regulation Compliance with the act is heavily regulated and also enforced by an independent authority, the Information Commissioners Office. This authority is also responsible for the mantained guidance in relation to the act.Category:Legislation